tripleo

Certificate update scripts can misbehave on HA control plance

Bug #1885284 reported by Damien Ciabrini
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Damien Ciabrini
tripleo victoria-1 "tripleo victoria"

Bug Description

When deploying a TLS-e environment, certmonger tracks the certificates for various services. On certificate update, certmonger calls post-save scripts provided by TripleO. Those script are in charge of notifying containers that they must reload their state to use the newly generated certificates.

HAProxy and RabbitMQ post-save scripts are meant to be used on the HA/non-HA overcloud as well as the undercloud/standalone environment. The container name of those services differ whether the environment uses HA (e.g. haproxy-bundle-podman-0) or not (e.g. haproxy).

In HA overcloud/standalone, several containers share the prefix "haproxy" and "rabbitmq", when the post-save scripts scans containers to signal certificate update, it might happen that some container (e.g. haproxy_init_bundle) confuse the scripts and make the update fail.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.opendev.org/738215

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.opendev.org/738215
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=3e942b7ff5cc91bfee7cc19d31b502548dcf3f57
Submitter: Zuul
Branch: master

commit 3e942b7ff5cc91bfee7cc19d31b502548dcf3f57
Author: Damien Ciabrini <email address hidden>
Date: Fri Jun 26 16:31:11 2020 +0200

    Ensure post-save certmonger scripts target the right HA container

    HAProxy and RabbitMQ can reload their TLS certificate on change,
    without being restarted. To do that, a post-save script scan the
    list of running container, copy the new certs and trigger a reload
    action in the service.

    Make sure that those post-save script only get the right container
    out of the "$container_cli ps" command, i.e. that the scripts Work
    both with HA and non-HA deployments.

    Change-Id: Iaba8da504f9c7a54656cf1abe259dff779ea7125
    Closes-Bug: #1885284

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/742088

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/ussuri)

Reviewed: https://review.opendev.org/742088
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=e0fa5abdf69f4cb7f80bb40c858eef4f7601dea5
Submitter: Zuul
Branch: stable/ussuri

commit e0fa5abdf69f4cb7f80bb40c858eef4f7601dea5
Author: Damien Ciabrini <email address hidden>
Date: Fri Jun 26 16:31:11 2020 +0200

    Ensure post-save certmonger scripts target the right HA container

    HAProxy and RabbitMQ can reload their TLS certificate on change,
    without being restarted. To do that, a post-save script scan the
    list of running container, copy the new certs and trigger a reload
    action in the service.

    Make sure that those post-save script only get the right container
    out of the "$container_cli ps" command, i.e. that the scripts Work
    both with HA and non-HA deployments.

    Change-Id: Iaba8da504f9c7a54656cf1abe259dff779ea7125
    Closes-Bug: #1885284
    (cherry picked from commit 3e942b7ff5cc91bfee7cc19d31b502548dcf3f57)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/742362

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/train)

Reviewed: https://review.opendev.org/742362
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=ddf216332ff9a7e8378c78e3e59271ce21719c62
Submitter: Zuul
Branch: stable/train

commit ddf216332ff9a7e8378c78e3e59271ce21719c62
Author: Damien Ciabrini <email address hidden>
Date: Fri Jun 26 16:31:11 2020 +0200

    Ensure post-save certmonger scripts target the right HA container

    HAProxy and RabbitMQ can reload their TLS certificate on change,
    without being restarted. To do that, a post-save script scan the
    list of running container, copy the new certs and trigger a reload
    action in the service.

    Make sure that those post-save script only get the right container
    out of the "$container_cli ps" command, i.e. that the scripts Work
    both with HA and non-HA deployments.

    Change-Id: Iaba8da504f9c7a54656cf1abe259dff779ea7125
    Closes-Bug: #1885284
    (cherry picked from commit 3e942b7ff5cc91bfee7cc19d31b502548dcf3f57)
    (cherry picked from commit e0fa5abdf69f4cb7f80bb40c858eef4f7601dea5)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 11.5.0

This issue was fixed in the openstack/puppet-tripleo 11.5.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.